ClearPoint Learning Systems: Closing the Book on Web Application Vulnerabilities

Following a customer’s recommendation, this leading interactive health education provider turn to Qualys WAS to harden its web portals – and it hasn’t looked back since.

With more than 1,000 successful implementations in 10 years, ClearPoint Learning Systems is a global authority in interactive health education. ClearPoint creates on-demand, multichannel tools, including electronic ones, to enable life science sales, marketing, and compliance professionals to grow their brands, increase clinical competencies, comply with regulations and enhance relationships with health care providers.

“We’ve found Qualys to perform as promised. Literally, after using the tool for only about three weeks, we were able to put together a process by which we can scan a site, get the results, and assign a team to start addressing any vulnerabilities that are identified as we’re scanning the next site.”

Dave Phillips,
Director of Technology at ClearPoint Learning Systems

Dave Phillips

A vital part of ClearPoint’s relationship with its customers is trust. “The security of the on-demand web services we provide is crucial,” says ClearPoint’s director of technology Dave Phillips. “Anytime a server goes online, any site goes online, it’s potentially vulnerable to compromise. Having the right tools in place is very important to make certain our web portals are secure.”

That judgment is increasingly germane today. Web application vulnerabilities are among the most common vectors of attacks aimed at information systems. It doesn’t matter if you are an international corporation or a small business: if your business has a web presence, you’re a target. Why are web applications so heavily targeted today? First, the exploits that compromise sensitive data – cross-site scripting, SQL injection, and cross-site request forgery – are complex. Second, web applications are ubiquitous and software companies and in-house development teams have been placing very insecure applications into production for years.

Web Application Security: Accurate, Actionable Reports Needed

Phillips understood that to keep ClearPoint’s systems secure, and to be able to assure customers that the educational portals it provides are secure, these applications needed to be vetted for vulnerabilities. However, the several open source tools ClearPoint had in place proved limited and couldn’t keep up as ClearPoint’s business grew. “Just as our business grows, security becomes more important. We wanted to strengthen the tool set that we had available,” he says. That’s when Phillips set out to find the best tools it could to help ClearPoint vet its web applications for vulnerabilities that would leave them susceptible to attack.

“A customer recommended Qualys Web Application Scanning (WAS) as a system we should evaluate because of the breadth of capabilities it offered,” says Phillips. “Qualys came highly recommended because of its Software-as-a-Service delivery, automatic updates, and ease of management. After getting such a recommendation from one of our customers, we couldn’t help but dig deeper and learn the capabilities of the tool.”

Built on Qualys’ new and powerful next generation SaaS platform, Qualys WAS brings a level of vulnerability assessment and web application security scalability that wasn’t before possible. Qualys WAS identifies web application vulnerabilities in the OWASP Top Ten, such as SQL injection, cross-site scripting (XSS) and URL redirection, in addition to new, emerging threats. And, through its easy-to-employ interface and automation, Qualys WAS simplifies the complexity and reduces costs of web application scanning. Just as important, scan results are not riddled with time-consuming false positives, and provide remediation workflows. “The reports in Qualys also are very intuitive. They’re visually informative, so even as a non-developer, you can see the analysis and know exactly what needs to be done,” Phillips says.

“We’ve found Qualys to perform as promised. Literally, after using the tool for only about three weeks, we were able to put together a process by which we can scan a site, get the results, and assign a team to start addressing any vulnerabilities that are identified as we’re scanning the next site,” he says. “We’re not a big shop. So we’re able to do this with tight resources. You don’t need a team of 50 people to be successful at remedying web application vulnerabilities.”

Another very valuable benefit of the service for Phillips is that he can leverage the research Qualys provides, so he can focus more on delivering and securing its IT services. “Every week, we get an automated email that lists new risks. That’s research and time we don’t have to invest because Qualys is doing it for us,” he says.